2. • Electrical Engineering education
with focus on CS and Infosec
• 10 years of fun with hardware
o silicon debug
o security research
o pen testing of CPUs
o security training
• Hardware Security Training:
o “Applied Physical Attacks on
x86 Systems”
Speaker Bio
Joe FitzPatrick
@securelyfitz
joefitz@securinghardware.com
3. Speaker Bio
• Electrical and Computer
Engineering education, with focus
on hardware design and test
• 10+ years designing,
implementing, and testing SoC
silicon debug features
• Hardware and firmware pentesting
Matt King
@syncsrc
jtag@syncsrc.org
34. Access Non-Volatile Storage
Cons:
- Really slow
- Requires mapping out the full
boundary scan or a BDSL file
- Really slow
- Requires emulating the flash
interface protocol
- Really, really slow
Pros:
- Access to BGA pins without
desoldering anything
- Works regardless of CPU
functionality
- You can visit a park, go out for a
beer, and sometimes take a week
holiday while it works
35. Run Control
“Optional” vendor-specific registers which:
Allows insertion of commands
- read/write memory, registers, or I/O ports
Control of execution
- step through instructions
- step into other code
- breakpoints
38. strings and grep
- if you know just what you’re looking for
binwalk
- it’s meant for firmware images, but
- it recognizes commons structures like:
- files in memory
- keys and certificates
- some code blocks
Simple Memory Analysis
42. Memory Scraping & Analysis
Cons:
- Still slow
- May Will almost certainly crash
the target
- Not fast
- Need to be careful about paging
and MMUs
- Slow
Pros:
- Minimal target knowledge
required
- Existing forensic analysis tools
- Inception over Jtag =
SLOWCEPTION
- Plenty of time to take your wife
out for dinner
44. Commands passed to the kernel
(and beyond) at boot:
-bootargs=console=ttyS0,115200 root=ubi0:rootfs
ubi.mtd=4,2048 rootfstype=ubifs
Boot Arguments can tell us to boot in single
user mode:
-bootargs=console=ttyS0,115200 root=ubi0:rootfs
ubi.mtd=4,2048 rootfstype=ubifs 1
Boot Arguments
46. 1. Set a breakpoint or watchpoint
2. Wait for the kernel to be loaded in memory
3. Halt
4. Patch kernel
5. Allow patched kernel to boot
Boot Arguments
47.
48.
49. Boot Patch
Cons:
- Has to be done at boot time
- Single user mode means
manually mounting everything
Pros:
- Can be done after a kernel
signature is checked
- Doesn’t depend on persistent
storage or root file system
contents
- Rebooting doesn’t take several
days
51. Linux File System ACL Enforcement
int generic_permission(struct inode *inode, int mask) {
int ret;
/*
* Do the basic permission checks.
*/
ret = acl_permission_check(inode, mask);
if (ret != -EACCES)
return ret;
……..
/*
* Searching includes executable on directories, else just read.
*/
mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
if (mask == MAY_READ)
if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
return 0;
return -EACCES;
}
52. Locating Kernel Functions
$ cat /proc/kallsyms
c1000000 T startup_32
c1000000 T _text
c1001000 T wakeup_pmode_return
c100104c t bogus_magic
c100104e t save_registers
….
c10adec0 T page_follow_link_light
c10adef0 T page_readlink
c10adf40 T generic_permission
c10ae0f0 t follow_dotdot_rcu
c10ae270 t follow_dotdot
c10ae340 t handle_dots
c10ae380 T full_name_hash
c10ae3c0 T final_putname
c10ae400 t getname_flags
c10ae4f0 T getname
c10ae500 T __inode_permission
53. Identifying Patch Point
loc_0x0000003b:
83 c4 08 add esp,0x8
5b pop ebx
5e pop esi
5f pop edi
5d pop ebp
c3 ret
...
ba 02 00 00 00 mov edx,0x2
89 f0 mov eax,esi
e8 dd 4c f8 ff call 0xfff84da0
84 c0 test al,al
0f 85 6e ff ff ff jne 0x00000039
90 nop
8d 74 26 00 lea esi,[esi+eiz*1+0x0]
b8 f3 ff ff ff mov eax,0xfffffff3 ; mov eax, -EACCESS
e9 61 ff ff ff jmp 0x0000003b ; goto function return
54. Delivery Options
Convert JTAG sequences into a
standard format (SVF/XSVF)
Enables replay of debug
performed in OpenOCD
- mww 0xc10ae011 0
!Begin Test Progra
TRST OFF;
ENDIR IDLE;
ENDDR IDLE;
HIR 8 TDI (00);
HDR 16 TDI (FFFF
TIR 16 TDI (0000)
TDR 8 TDI (12);
SIR 8 TDI (41);
SDR 32 TDI (ABC
STATE DRPAUSE
RUNTEST 100 TC
55.
56. Kernel Patch
Cons:
- Target & kernel specific
- SVF does not support data-
dependant control flow
- Need to understand and
manage implicit debugger actions
- Effort required to find fixed-
location kernel functions and
patches for them
Pros:
- Can be applied to running target
- Fast
- Can be implemented as an SVF
- Many hardware and software
options for SVF playback
59. Searching Memory
OpenOCD has a scripting interface
- and examples in python
Check every page in memory for target process
- Read 8 bytes at offset 0x7c9 (512x speedup)
- Compare to signature, patch if match found
60.
61.
62. Patch a Process
Cons:
- Needs a small signature at a
known page offset (to find
process in memory)
- Requires knowledge of
processes running on the target
system
Pros:
- Can be applied to running target
- Arbitrarily change any process
- Still relatively fast
- More resilient to changes in
target software
63. Summary
The CPU runs the show, but JTAG calls the
shots via:
I/O control
Run control
Memory access
https://github.com/syncsrc/jtagsploitation